What could be the last set of the mostly dreaded annual Federal Information Security Management Act (FISMA) reports are arriving from agency inspector generals.
The White House’s recent acceptance that smaller cyber bills may just be better than one big one have bouyed the hope that Congress may actually pass a cyber bill in the next year. And an update to FISMA surely would be included in that smaller bill approach — right?
The long-held criticism of FISMA has been it’s a compliance or checklist exercise, and the audits of agency compliance are too much pass or fail instead of taking into account agency risk-based decisions.
The State Department’s recent report highlights what many see as a problem with FISMA. First off, a good portion of the State IG’s report is redacted for national security reasons. But one fact that is in the open is State doubled the cybersecurity budget of the chief information security officer in the Bureau of Information Resource Management, Office of Information Assurance to $14 million in 2013, in part to hire contractors to better comply with FISMA.
Therein lies the biggest problem with FISMA. Not to play semantics but “improve FISMA compliance efforts” is the key phrase.
Not to improve its cybersecurity or better protect its data, but to comply with the law. Now, maybe within that phrase, State’s IG means to say the agency is using the additional funding to address the 29 recommendations in the fiscal 2013 report, or the 33 recommendations in this year’s audit. But that’s not what the IG wrote so it’s hard to say exactly what auditors meant.
So does the IG’s findings mean State’s systems are insecure or full of holes? Traditionally, State has been a leader in cybersecurity, implementing continuous monitoring and risk based scoring before nearly every other agency, which leads one to believe they are in better shape than other agencies in terms of understanding their risks and protecting the most important systems or data.
The IG community also recognizes the problem with following the FISMA mandate and understands the changing nature of cybersecurity practices where decisions are made based on risk rather than the blanket protection approach.
Last February, I wrote about the Council of IGs’ effort to develop a new maturity model for agency cybersecurity as a way to get away from the typical FISMA assessment that many believe have little value.
And it seems that maturity model is almost ready for a test run.
During the September Federal Audit Executive Council conference, Andy Patchan, the associate IG for IT at the Federal Reserve Board and Consumer Financial Protection Bureau, and Louis King, the assistant IG for financial and IT audits at the Department of Transportation, presented the proposed maturity model for the information security and continuous monitoring (ISCM).
The draft model includes four levels starting with policies and procedures and ending with continuously improving ISCM practices.
IGs would assess agencies across five areas: ISCM policies and procedures, strategy, implementation for IT assets, security controls assessments, and security status reporting.
As of September, Patchan and King wrote that the plan is to pilot the maturity model in late 2014 and early 2015, and then improve upon it so it can be included in the Homeland Security Department’s fiscal 2015 FISMA metrics for IGs. Eventually, the goal is for the IGs and DHS to develop a FISMA maturity model reporting framework for all 11 information security areas.
But it’s not just the IGs that need to change. DHS has to write risk-based metrics and, most of all, Congress must update the 10-year-old law.
This post is part of Jason Miller’s Inside the Reporter’s Notebook feature. Read more from this edition of Jason’s Notebook.